IN THE CLAIMS 



Claims 1-37 (Canceled) 

Please enter new claims 38- 49, as follows: 

38. (New) A computer program product for evaluating a security risk of an application, the 
computer program product comprising: 

one or more computer-readable tangible storage devices and program instructions stored on 
at least one of the one or more storage devices, the program instructions comprising; 

program instructions to determine whether employees of two or more customer 
corporations are authorized to concurrently share use of the application; 

program instructions to determine whether a vulnerability in the application can be 
exploited by a user which has not been authenticated to the application; 

program instructions to assign numerical weights to the respective determinations, each 
of the numerical weights corresponding to a significance of the respective determination in 
quantifying the security risk; 

program instructions to combine the numerical weights to quantify the security risk; and 

program instructions to compare the quantification of the security risk based on the 
combined numerical weights to a monetary value of a benefit of the application, and based on the 
comparison, recommend whether to certify the application for use. 
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39. (New) The computer program product of claim 38 further comprising: 



program instructions, stored on at least one of the one or more storage devices, to 
determine whether there is a requirement for authentication for user access to the application; 
and wherein 

the program instructions to assign numerical weights to the respective determinations 
assign a numerical weight to the determination whether there is a requirement for authentication 
for user access to the application; and 

the program instructions to combine the numerical weights to quantify the security risk 
also use the numerical weight for the determinations whether there is a requirement for 
authentication for user access to the application, in quantifying the security risk. 
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40. (New) The computer program product of claim 38 further comprising: 



program instructions, stored on at least one of the one or more storage devices, to 
determine whether a third party can obtain unauthorized administrative authority to data 
maintained by the application; and 

program instructions, stored on at least one of the one or more storage devices, to 
determine whether a third party can obtain unauthorized read and/or write access to data 
maintained by the application; and wherein 

the program instructions to assign numerical weights to the respective determinations 
assign a numerical weight to the determination whether a third party can have unauthorized 
administrative authority to data maintained by said application, and assign a numerical weight to 
the determination whether a third party can have unauthorized read and/or write access to data 
maintained by said application; and 

the program instructions to combine the numerical weights to quantify the security risk 
also use the numerical weight for the determinations whether a third party can have unauthorized 
administrative authority to data maintained by said application and the numerical weight for the 
determination whether a third party can have unauthorized read and/or write access to the data, in 
quantifying the security risk. 
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41 . (New) The computer program product of claim 38 further comprising: 



program instructions, stored on at least one of the one or more storage devices, to 
determine whether data accessible by a user via the application is confidential; 

the program instructions to assign numerical weights to the respective determinations 
assign a numerical weight to the determination whether data accessible by a user via the 
application is confidential; and 

the program instructions to combine the numerical weights to quantify the security risk 
also use the numerical weight for the determinations whether data accessible by a user via the 
application is confidential. 

42. (New) The computer program product of claim 38 wherein the monetary value of the 
benefit of the application is a cost savings due to use of the application. 

43. (New) The computer program product of claim 38 wherein the monetary value of the 
benefit of the application is a revenue gained by the application. 
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44. (New) A system for evaluating a security risk of an application, the computer system 
comprising: 

one or more processors, one or more computer-readable memories, one or more computer- 
readable tangible storage devices, and program instructions stored on at least one of the one or 
more storage devices for execution by at least one of the one or more processors via at least one 
of the one or more memories, the program instructions comprising: 

program instructions to determine whether employees of two or more customer 
corporations are authorized to concurrently share use of the application; 

program instructions to determine whether a vulnerability in the application can be 
exploited by a user which has not been authenticated to the application; 

program instructions to assign numerical weights to the respective determinations, each 
of the numerical weights corresponding to a significance of the respective determination in 
quantifying the security risk; 

program instructions to combine the numerical weights to quantify the security risk; and 

program instructions to compare the quantification of the security risk based on the 
combined numerical weights to a monetary value of a benefit of the application, and based on the 
comparison, recommend whether to certify the application for use. 
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45. (New) The computer system of claim 44 further comprising: 



program instructions, stored on at least one of the one or more storage devices for 
execution by at least one of the one or more processors via at least one of the one or more 
memories, to determine whether there is a requirement for authentication for user access to the 
application; and wherein 

the program instructions to assign numerical weights to the respective determinations 
assign a numerical weight to the determination whether there is a requirement for authentication 
for user access to the application; and 

the program instructions to combine the numerical weights to quantify the security risk 
also use the numerical weight for the determinations whether there is a requirement for 
authentication for user access to the application, in quantifying the security risk. 
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46. (New) The computer system of claim 44 further comprising: 



program instructions, stored on at least one of the one or more storage devices for 
execution by at least one of the one or more processors via at least one of the one or more 
memories, to determine whether a third party can obtain unauthorized administrative authority to 
data maintained by the application; and 

program instructions, stored on at least one of the one or more storage devices for 
execution by at least one of the one or more processors via at least one of the one or more 
memories, to determine whether a third party can obtain unauthorized read and/or write access to 
data maintained by the application; and wherein 

the program instructions to assign numerical weights to the respective determinations 
assign a numerical weight to the determination whether a third party can have unauthorized 
administrative authority to data maintained by said application, and assign a numerical weight to 
the determination whether a third party can have unauthorized read and/or write access to data 
maintained by said application; and 

the program instructions to combine the numerical weights to quantify the security risk 
also use the numerical weight for the determinations whether a third party can have unauthorized 
administrative authority to data maintained by said application and the numerical weight for the 
determination whether a third party can have unauthorized read and/or write access to the data, in 
quantifying the security risk. 
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47. (New) The computer system of claim 44 further comprising: 

program instructions, stored on at least one of the one or more storage devices for 
execution by at least one of the one or more processors via at least one of the one or more 
memories, to determine whether data accessible by a user via the application is confidential; 

the program instructions to assign numerical weights to the respective determinations 
assign a numerical weight to the determination whether data accessible by a user via the 
application is confidential; and 

the program instructions to combine the numerical weights to quantify the security risk 
also use the numerical weight for the determinations whether data accessible by a user via the 
application is confidential. 

48. (New) The computer system of claim 44 wherein the monetary value of the benefit of the 
application is a cost savings due to use of the application. 

49. (New) The computer system of claim 44 wherein the monetary value of the benefit of the 
application is a revenue gained by the application. 
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